First I want to thank Lawrence for doing a review on the Protectli boxes. I thought the review seemed fair and straightforward. I’m aware the Nextgate partners don’t seem to be a big fan of companies such as Protectli since they don’t contribute back to the project, however I guess that’s life.
The more I researched the Protectli devices, I kept coming across users saying they were just rebranded units from China sold with a warranty. After enough posts I saw mentioning similar such statements I went looking for more information and I eventually found the units sold on Aliexpress (kind of the Amazon of China). The savings in terms of price was considerable. I ended up ordering one of the units and then just add RAM and a few storage devices. The device came with onboard wifi card which I believe Protectli wanted to charge additional for, however it was a broacom chipset and the b43 drivers didn’t exactly work very well with the unit. I’m not sure of the chipset of the actual Protectli wifi module, however hopefully its not Broadcom based since I’ve had bad experiences with linux and broadcom drives in the past. Infrastructure mode I don’t believe is possible with the broadcom chipset so its not very useful.
Originally I had proxmox installed on the device using zfs (RAID 0) config, however watching more of Lawrence’s videos I eventually switched to using xcp-ng, which I’m mostly happy with except for the loss of zfs and the problems with USB passthrough to the VM’s. I’ve virtualized pfSense and an Ubuntu VM from which I run the Xen Orchestra Community Edition tool. Entire setup seems to work very well. I’ve posted my build here in case anyone needs specifics or is contemplating a more build-it-yourself solution: https://pcpartpicker.com/list/cK7BBb. The unit takes between 20-30 days to arrive from China, so unfortunately if you are in a rush, this probably isn’t a great option. I’m running it for home use so I have no idea how well it would scale for a SMB or SOHO operation.
My only real question management of the xcp-ng itself. Although I have 6 physical network ports on the device, I’m really only using one as WAN and the other as LAN. I set the network management port of xcp-ng on the LAN interface. Is it best practice to have this run over a separate physical port or on a different network or subnet? I was told once to keep it simple but no more specifics so I’m not exactly sure what that was supposed to mean.
I have a Protectli device which I ordered on Amazon which was a genuine Protectli device. I used it as my primary pfSense firewall (bare metal install) for the past 2 years and it had worked great with zero complaints. The wifi module for the genuine Protectli device requires a card from Protectli to work and even then, 5Ghz wifi does not work, only 2.4 Ghz so I decided to use a Unifi AC Pro AP. Only recently have I decided to retire the Protectli and get a $200 Dell R210ii for a few reasons. My Protectli did not have AES-NI capabilities and I have Gigabit internet. So with me using OpenVPN and PIA VPN for my IoT network, my Protectli could not keep up with the bandwidth. Additionally, the Protectli could not deal with the use of both pfBlocker and Suricata enabled on multiple interfaces. It bottlenecked by Gigabit internet from 980mbps down to about 500mbps and I was not satisfied with that. I cant speak to the Chinese knock-off brand and the long term quality and reliability but the authentic Protectli is a solid device. I will admit though that for the price vs performance vs power consumption the Dell R210ii is a much better choice overall. The only down side to the Dell is the slight fan noice where the Protectli is silent.
If I were you, I would run pfSense bare metal on your device because a virtual pfSense is a pain in the butt to deal with during power outages and upgrades…at least in my experience.
@Arron – I’ve heard that about power outages and upgrades – however if there is a power outage – everything is out. I hooked my protectli to a Cyberpower backup module so it may help. I had to configure xcp-ng with nut – and am still working on it, to appropriately shut down all the running VM’s before turning itself off. Thank goodness there are some that have written a script for that which helps.
In terms of upgrades – which upgrades specifically are you speaking about – the hypervisor or pfSense itself. I’ve upgraded pfSense and the router was down for a few but came back up and things just kind of worked. I haven’t had the pleasure of a large update with xcp-ng, however a recent minor upgrade didn’t seem to cause any problems. I’m just wondering what problems you had so I can anticipate.
So the main issues I ran into was the part about pfSense being in a VM environment. Because of that if for any reason it goes down, you lose all internet/intranet connectivity and DNS resolution. This caused a major headache because I would then have to reconnect my monitor, keyboard and mouse to gain access to the main OS to restart or fix pfSense. Sometimes pfSense updates or package upgrades would have issue and I would lose connectivity. Didnt happen all the time but enough to be a pain in my butt.
The other issue was that I was running Unraid as my hypervisor with pfSense running as a VM. Worked great except that my Unraid relied on pfSense DNS for name resolution and during reboots would not resolve properly and cause docker container restart issues. Your mileage will vary but just be aware of this.
The last thing was that the Protectli device was just not powerful enough for full Gigabit internet speeds I received from my ISP. As previously stated, with my desired packages, I would only get about 500mpbs speed and that was just not acceptable. With you running XCP-NG in addition to pfSense, you may run into the same sort of issue to include your intranet/internet speeds.
Overall I was just happy putting my pfSense on my Dell R210ii and Unraid on my R710. I have my Protectli in the closet as a backup in case my R210 dies on me.
Give it some time and let me know how everything ends up working out for you.